Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 13:24
Static task
static1
General
-
Target
4410b1ef33f5f0ef64c12c1d56660c09d7a49329a73b16fa824e341b4a7e1d58.exe
-
Size
5.5MB
-
MD5
595064e37dcbc37d6931d2d68ac3b1a4
-
SHA1
83d683b0c574c607cee956533f07b2559927a310
-
SHA256
4410b1ef33f5f0ef64c12c1d56660c09d7a49329a73b16fa824e341b4a7e1d58
-
SHA512
5a10196383b11cd65a3d2b3d4edf57d41351cb2991fdca82d1ac753dd92e467a55ecafcf1af54a521c51f71429dc81db6a653b800eef59ff12c4579aa625eb14
-
SSDEEP
98304:HIG+VDb2fJy5aOWCSUw3hvM2egs1OCzjFa5pobb:SeiwRTegsLxa
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://tacitglibbr.biz/api
https://immureprech.biz/api
https://deafeninggeh.biz/api
https://wrathful-jammy.cyou/api
https://awake-weaves.cyou/api
https://sordid-snaked.cyou/api
https://drive-connect.cyou/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 6d6ab56d8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 6d6ab56d8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 6d6ab56d8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 6d6ab56d8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 6d6ab56d8f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 6d6ab56d8f.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1V40B6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2j6801.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5a41c01182.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3j71q.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c5babab44c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6d6ab56d8f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3j71q.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c5babab44c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1V40B6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2j6801.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3j71q.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1V40B6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5a41c01182.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5a41c01182.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c5babab44c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6d6ab56d8f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6d6ab56d8f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2j6801.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 1V40B6.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 9979c02861.exe -
Executes dropped EXE 15 IoCs
pid Process 1640 l9K66.exe 2068 1V40B6.exe 1136 skotes.exe 2600 2j6801.exe 1380 5a41c01182.exe 4856 f880e5b4ff.exe 3236 f880e5b4ff.exe 4964 9979c02861.exe 2020 3j71q.exe 4628 c6fab6c5ae.exe 2604 9cf57435d6.exe 4036 c5babab44c.exe 7084 6d6ab56d8f.exe 6592 skotes.exe 5920 skotes.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 5a41c01182.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 3j71q.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine c5babab44c.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 6d6ab56d8f.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 1V40B6.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 2j6801.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 6d6ab56d8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 6d6ab56d8f.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4410b1ef33f5f0ef64c12c1d56660c09d7a49329a73b16fa824e341b4a7e1d58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" l9K66.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9cf57435d6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014405001\\9cf57435d6.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c5babab44c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014406001\\c5babab44c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6d6ab56d8f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014407001\\6d6ab56d8f.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000023c6d-148.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 2068 1V40B6.exe 1136 skotes.exe 2600 2j6801.exe 1380 5a41c01182.exe 2020 3j71q.exe 4036 c5babab44c.exe 7084 6d6ab56d8f.exe 6592 skotes.exe 5920 skotes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4856 set thread context of 3236 4856 f880e5b4ff.exe 97 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1V40B6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4904 4964 WerFault.exe 101 6272 1380 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4410b1ef33f5f0ef64c12c1d56660c09d7a49329a73b16fa824e341b4a7e1d58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f880e5b4ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 9cf57435d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5babab44c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3j71q.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9cf57435d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l9K66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2j6801.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f880e5b4ff.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 9cf57435d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d6ab56d8f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1V40B6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5a41c01182.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9979c02861.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6fab6c5ae.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9979c02861.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9979c02861.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4400 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 4772 taskkill.exe 448 taskkill.exe 4192 taskkill.exe 1920 taskkill.exe 4280 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2068 1V40B6.exe 2068 1V40B6.exe 1136 skotes.exe 1136 skotes.exe 2600 2j6801.exe 2600 2j6801.exe 1380 5a41c01182.exe 1380 5a41c01182.exe 2020 3j71q.exe 2020 3j71q.exe 4964 9979c02861.exe 4964 9979c02861.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 4036 c5babab44c.exe 4036 c5babab44c.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 7084 6d6ab56d8f.exe 7084 6d6ab56d8f.exe 7084 6d6ab56d8f.exe 7084 6d6ab56d8f.exe 7084 6d6ab56d8f.exe 6592 skotes.exe 6592 skotes.exe 5920 skotes.exe 5920 skotes.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4772 taskkill.exe Token: SeDebugPrivilege 448 taskkill.exe Token: SeDebugPrivilege 4192 taskkill.exe Token: SeDebugPrivilege 1920 taskkill.exe Token: SeDebugPrivilege 4280 taskkill.exe Token: SeDebugPrivilege 2004 firefox.exe Token: SeDebugPrivilege 2004 firefox.exe Token: SeDebugPrivilege 7084 6d6ab56d8f.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 2068 1V40B6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe 2604 9cf57435d6.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2004 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1640 1064 4410b1ef33f5f0ef64c12c1d56660c09d7a49329a73b16fa824e341b4a7e1d58.exe 83 PID 1064 wrote to memory of 1640 1064 4410b1ef33f5f0ef64c12c1d56660c09d7a49329a73b16fa824e341b4a7e1d58.exe 83 PID 1064 wrote to memory of 1640 1064 4410b1ef33f5f0ef64c12c1d56660c09d7a49329a73b16fa824e341b4a7e1d58.exe 83 PID 1640 wrote to memory of 2068 1640 l9K66.exe 84 PID 1640 wrote to memory of 2068 1640 l9K66.exe 84 PID 1640 wrote to memory of 2068 1640 l9K66.exe 84 PID 2068 wrote to memory of 1136 2068 1V40B6.exe 85 PID 2068 wrote to memory of 1136 2068 1V40B6.exe 85 PID 2068 wrote to memory of 1136 2068 1V40B6.exe 85 PID 1640 wrote to memory of 2600 1640 l9K66.exe 86 PID 1640 wrote to memory of 2600 1640 l9K66.exe 86 PID 1640 wrote to memory of 2600 1640 l9K66.exe 86 PID 1136 wrote to memory of 1380 1136 skotes.exe 88 PID 1136 wrote to memory of 1380 1136 skotes.exe 88 PID 1136 wrote to memory of 1380 1136 skotes.exe 88 PID 1136 wrote to memory of 4856 1136 skotes.exe 95 PID 1136 wrote to memory of 4856 1136 skotes.exe 95 PID 1136 wrote to memory of 4856 1136 skotes.exe 95 PID 4856 wrote to memory of 3236 4856 f880e5b4ff.exe 97 PID 4856 wrote to memory of 3236 4856 f880e5b4ff.exe 97 PID 4856 wrote to memory of 3236 4856 f880e5b4ff.exe 97 PID 4856 wrote to memory of 3236 4856 f880e5b4ff.exe 97 PID 4856 wrote to memory of 3236 4856 f880e5b4ff.exe 97 PID 4856 wrote to memory of 3236 4856 f880e5b4ff.exe 97 PID 4856 wrote to memory of 3236 4856 f880e5b4ff.exe 97 PID 4856 wrote to memory of 3236 4856 f880e5b4ff.exe 97 PID 4856 wrote to memory of 3236 4856 f880e5b4ff.exe 97 PID 4856 wrote to memory of 3236 4856 f880e5b4ff.exe 97 PID 1136 wrote to memory of 4964 1136 skotes.exe 101 PID 1136 wrote to memory of 4964 1136 skotes.exe 101 PID 1136 wrote to memory of 4964 1136 skotes.exe 101 PID 1064 wrote to memory of 2020 1064 4410b1ef33f5f0ef64c12c1d56660c09d7a49329a73b16fa824e341b4a7e1d58.exe 103 PID 1064 wrote to memory of 2020 1064 4410b1ef33f5f0ef64c12c1d56660c09d7a49329a73b16fa824e341b4a7e1d58.exe 103 PID 1064 wrote to memory of 2020 1064 4410b1ef33f5f0ef64c12c1d56660c09d7a49329a73b16fa824e341b4a7e1d58.exe 103 PID 1136 wrote to memory of 4628 1136 skotes.exe 108 PID 1136 wrote to memory of 4628 1136 skotes.exe 108 PID 1136 wrote to memory of 4628 1136 skotes.exe 108 PID 4964 wrote to memory of 5088 4964 9979c02861.exe 109 PID 4964 wrote to memory of 5088 4964 9979c02861.exe 109 PID 4964 wrote to memory of 5088 4964 9979c02861.exe 109 PID 5088 wrote to memory of 4400 5088 cmd.exe 115 PID 5088 wrote to memory of 4400 5088 cmd.exe 115 PID 5088 wrote to memory of 4400 5088 cmd.exe 115 PID 1136 wrote to memory of 2604 1136 skotes.exe 116 PID 1136 wrote to memory of 2604 1136 skotes.exe 116 PID 1136 wrote to memory of 2604 1136 skotes.exe 116 PID 2604 wrote to memory of 4772 2604 9cf57435d6.exe 118 PID 2604 wrote to memory of 4772 2604 9cf57435d6.exe 118 PID 2604 wrote to memory of 4772 2604 9cf57435d6.exe 118 PID 1136 wrote to memory of 4036 1136 skotes.exe 121 PID 1136 wrote to memory of 4036 1136 skotes.exe 121 PID 1136 wrote to memory of 4036 1136 skotes.exe 121 PID 2604 wrote to memory of 448 2604 9cf57435d6.exe 122 PID 2604 wrote to memory of 448 2604 9cf57435d6.exe 122 PID 2604 wrote to memory of 448 2604 9cf57435d6.exe 122 PID 2604 wrote to memory of 4192 2604 9cf57435d6.exe 124 PID 2604 wrote to memory of 4192 2604 9cf57435d6.exe 124 PID 2604 wrote to memory of 4192 2604 9cf57435d6.exe 124 PID 2604 wrote to memory of 1920 2604 9cf57435d6.exe 126 PID 2604 wrote to memory of 1920 2604 9cf57435d6.exe 126 PID 2604 wrote to memory of 1920 2604 9cf57435d6.exe 126 PID 2604 wrote to memory of 4280 2604 9cf57435d6.exe 128 PID 2604 wrote to memory of 4280 2604 9cf57435d6.exe 128 PID 2604 wrote to memory of 4280 2604 9cf57435d6.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4410b1ef33f5f0ef64c12c1d56660c09d7a49329a73b16fa824e341b4a7e1d58.exe"C:\Users\Admin\AppData\Local\Temp\4410b1ef33f5f0ef64c12c1d56660c09d7a49329a73b16fa824e341b4a7e1d58.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9K66.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9K66.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1V40B6.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1V40B6.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\1014398001\5a41c01182.exe"C:\Users\Admin\AppData\Local\Temp\1014398001\5a41c01182.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 15526⤵
- Program crash
PID:6272
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014402001\f880e5b4ff.exe"C:\Users\Admin\AppData\Local\Temp\1014402001\f880e5b4ff.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\1014402001\f880e5b4ff.exe"C:\Users\Admin\AppData\Local\Temp\1014402001\f880e5b4ff.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3236
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014403001\9979c02861.exe"C:\Users\Admin\AppData\Local\Temp\1014403001\9979c02861.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014403001\9979c02861.exe" & rd /s /q "C:\ProgramData\AAA1NOZCT2VA" & exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4400
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 21446⤵
- Program crash
PID:4904
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014404001\c6fab6c5ae.exe"C:\Users\Admin\AppData\Local\Temp\1014404001\c6fab6c5ae.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4628
-
-
C:\Users\Admin\AppData\Local\Temp\1014405001\9cf57435d6.exe"C:\Users\Admin\AppData\Local\Temp\1014405001\9cf57435d6.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:4216
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2004 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eaaf47f-4b17-4575-b32a-e1978ab16c52} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" gpu8⤵PID:4444
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03724374-9b4e-472e-a666-29c9d1fdc56f} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" socket8⤵PID:2584
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3136 -childID 1 -isForBrowser -prefsHandle 3128 -prefMapHandle 3124 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af76adf3-683b-43cb-8a81-6af34ef5c878} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab8⤵PID:3976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3788 -childID 2 -isForBrowser -prefsHandle 3784 -prefMapHandle 3780 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c4633ed-4b4b-4192-b111-cec4546d76b1} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab8⤵PID:448
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4540 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4532 -prefMapHandle 4476 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd5adebc-2d60-469d-aad2-233fe24ae6e2} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" utility8⤵
- Checks processor information in registry
PID:6704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -childID 3 -isForBrowser -prefsHandle 5080 -prefMapHandle 5072 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {478f2d88-1a72-418a-b401-c7ac2557f04a} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab8⤵PID:4280
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 4 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c781837-d791-4771-ae5a-24274c5428c9} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab8⤵PID:3636
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 5 -isForBrowser -prefsHandle 5480 -prefMapHandle 5100 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8d2118e-c0cf-4d80-bd23-7a6464943661} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab8⤵PID:1972
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014406001\c5babab44c.exe"C:\Users\Admin\AppData\Local\Temp\1014406001\c5babab44c.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
-
C:\Users\Admin\AppData\Local\Temp\1014407001\6d6ab56d8f.exe"C:\Users\Admin\AppData\Local\Temp\1014407001\6d6ab56d8f.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7084
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2j6801.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2j6801.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2600
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3j71q.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3j71q.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4964 -ip 49641⤵PID:4056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1380 -ip 13801⤵PID:6248
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6592
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5920
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD58edde0d217bce75ba8532f05df0b8b11
SHA1b033fecee297099c8ff5e7c9c37bd43da3089615
SHA256465373e553f680b7f0b18b5d287ced867e41a6c8307427f8f1ea6c5957f92c31
SHA51215e1c04d6cba0eec45d63b15b6a4fcf8468c2021c21df1d70bfb49107e843ddf92b99733508a7b559ce5922c3d222703a30577dd182db9bff8a9832a5f08bc27
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD59a54ac0825672b036bbab0e7809a60b5
SHA14539629b9f1332bbd67afa21bcfbe44826b8417a
SHA2565a2e35569abb192bad7be9d0e3720a0b030d39189bbca9f74799627fcc7707ae
SHA51218221be705a4842386c6394e4dbe2b52b631f2829a7b5e3e3027d2cee5c2d36bc3eb3b8c54bf680d9484faf5765535c1697e8d77a2612224af32d87501d805f1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.9MB
MD5c270b2bd3dd5cbc4eca9a2337870d80f
SHA105215b2a48284f2025fd54e98ba89e60e1b825b8
SHA25631e2255304e6a0eb615cc93c582567c46e8e0aa948eaa8bd28db603730428004
SHA5122120b40c6cfae4e62150d726512ee940893b81963fec14d62fbe087d3baf15b97f729677a478113f3e5a6ac62b88324af95cb9d2a2ac9417c6ad1685bfee2615
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
943KB
MD54853be4f2bb74b706effcc60fc06446b
SHA1405666e3bfc16348677d5fe2224d7bd8b739d94f
SHA2561fff6fb9300916f4d128a5b2df8ca413f1d820660b8f61b54a203a9e0fd76372
SHA51202ffabd11493e0aec0d62fe5f980cb91e587e9dafe36fbf7ed67733bf3f68757f2a09ad53af6d610ba1125b486ebcb695a719b2dfa30ecca0c2950c2735f8ccf
-
Filesize
1.7MB
MD598c5024a596c5c548d36bc33ae113a73
SHA1b30aefb89057c1c6bab845df896777bc97230ae3
SHA25663f607b4cd4804876dd817163529180a18a30245aefc92e1ea79eaea6348a121
SHA512d6853305f9f26a09e98ad270498d57f52a604667984c754c3f7aab5d5f3270416e25e9c328981d63b2675c661da5f454c290cf291c932338593ae80f8e85fc9d
-
Filesize
2.7MB
MD548d72055c656230bed2ebc5831008349
SHA1158a1540a163a2e47eae9426e89b10febb86d7ec
SHA25628bbe25cec4284374cd34fcb0bc1b203a5663de1383927640cc6c9ed40788634
SHA512c72186e9deb21e811923f128da31c9053271826f9acdebe18c38d5730bb34eda9a9dc4cf0baf5926e071fb388272799a180c827c04a1b953523876dc7af04e3f
-
Filesize
1.8MB
MD54cd665bb2e14afaf47313eefa5b3062f
SHA15cae67a79d827beb065abe49446c1be1d46f1ba2
SHA256c1f435b6b40bd2e00f4b7d3a89ffc46091cc8298ae70bb97444aab650dbb17e0
SHA512818db1b60e8f0e4b23e027631ec38894429dfc65f846635d992faba893d19d7c2774cfc836a3f93a81a39fb0a96c7537f4bd8591acd4934a44a3105876d84cb6
-
Filesize
3.6MB
MD5adcd60cf6347202c65729d4f26f35f9c
SHA1945bc5988fa4f476da5b68669f1e3612bc4e7193
SHA256a7a934906241bcb6e98a2a0585a4c4baaf977ce600bb1a5548f8e1f0b1546368
SHA5121508bdae506f1c6a621273d0e694d4cc1f53a24eef77de746186c737e7ccc4ea1ac51383c462e80718264b5fdb61ef081e15a5428de7660f7b0a56609d5a1f09
-
Filesize
3.1MB
MD552844852230f99e02891a15b601571f2
SHA153bfe041262404913af4764d56fe3afb6bea2616
SHA25630254b13c93de15fd6c697da7b3ed6677291a939a95156c5b527d8b21ce1ca6c
SHA512d170f9d5b161712e60032a0534f7f71f4d3667d8466b6530f23f529ec48c98d98aa74661d65e6ef33a1f7469dcf776f6edfe51817b462ba9bc2476252439f54f
-
Filesize
1.8MB
MD534e2bca3b92a1852c57e5df538a97705
SHA1203437d7a054cb4eb7e3b8fe0dc7d877478d94f2
SHA2565a9bcc582b56aa80fff7c45701da58d28ab6fdb82182fe556ec85db9dd062498
SHA5127e98cfba815ce1e000f7267662b8a5875e266a8a312be30e7314db48eec3239f5a91662f7e5c6a00bd6ef335ebb1d7e315a451e682d0bb27d5b06e3ced7c62eb
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize8KB
MD53ba9d6deb4286c56c1cee53b60a1f6d1
SHA1c801723ed9052d7d12ca0d96d966137c0d28fa7e
SHA2562b9d4ee11c7df244eacee6c56006fbc9f5303db02276bf40b1079b102889319d
SHA512fdd463d5a711f3fd4c3500db9a27833d2707b86f62bcd851adac3268a9683296b4591125588ec4ae1636085932f69a42d1cf41880c5754a0778597163976687a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize8KB
MD561f1745f2bcffda3d6f7e5616fc9a27e
SHA1da069b9a2eefd2a29ca4fbd95a6dbf6f2fd51d54
SHA256d86c2261cbaca5bc3b7a229361d5ebef02f857b6c95b9fbe7b7207a08b4db42d
SHA512d42c7ade2b0fe484bca4b98f669985918c3569ad76e6f4eb31130acc85de1689509c9c70c969f058527e1507bb00f399d0662e1b75c92340fece942ee9512d72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD5b043a7c38618807334210e621d2d885f
SHA1ba314b422cdb3e49cfc40b99daf25f2b2ec43b58
SHA2564952277087c985a3aafa256690dbf14b3bb507ce30f50ef3969acb79185ecf83
SHA5126756b546e10980e541026bb4814acbaf20f2d0ca079dc0e0a1313da8c7c6f49e2fc869939071d7ac72d73dd6188243c37f283e5984d15fbd50f6e27d335e122d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD52493764e4b8dd4330bfde78dc2454d58
SHA1798fb32effd5c9c1108d8f444f9c4eb8e6f7ad58
SHA256122b63f26997cefc96078d718cb6e4b066f4f988112f7e9d7a3e2baaead78aba
SHA51292233a1fd0ddbd34c100e5fb52103058193586c72c4655c59ad36b996e0ce1a35d4bc9ac556ba756c1c8199167017be681ac29f17d080bb464b38bc290aac662
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5598beb1b1611e688c47b5e1cc61f561f
SHA1dbc2c2754f9419a97a4de47e8d9659db3109002b
SHA256fcad47d26dfaafb0dabe04de316f9462ca32519c65266827ef821dcf330ede25
SHA512bc782d188ef3e105b48d9f07120f3b3a00ba71ecde3c9ac1f656582f62d034537e2e0df82cdc4305aef71a1493c64478e66c87c431f5a2a8dbe21926f834466e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5ed1559c6558f61482e0b9f6748384292
SHA118904ba56feab84a88e783cdd9b13b3b8c5667a2
SHA256aa2b07a150c2cba3e2dc9c57f86a0b18d04530384c45d96f386d42df7b43a42f
SHA512074986cfa11ae6783385d6c281b1ec39da3486a5d11aa4b6e8b6f4547e001851126a2f0adbc8c5b87d3f41cbc88649a45bd9bfe1aab7389064ee31a629b1581f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD54b90e9ddd81a23602e55a0c8b3debc24
SHA17c953a8dca8372e1d372d045acea6ad2e7141d6f
SHA256c2c90872f32af5b29b39d487135cd66fd1f1e738d8a6177bb0b18a2f1a99cbc1
SHA51285eb31c057be551b1acf31b2d778ed295d539af84e0186aa18b34074be2d67be296daef9e76857de69e6db56dd50a4b1ae58bc8cb66a3a5f03f55a124569c84d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD536e717d5b29e19b9ad455a25c99d2f09
SHA1dc30ec3bc2f72d8c8680f3ceba52d7e0533f9df7
SHA256feb94cb454ec7d843485d1cdc7ff47519f5cecd985210ceff3279a5a5532f0f5
SHA51247d7471603633e097979f927092b7aecbc189af84684bf994233012c765460678aed39f0633b0aa83a4c4c9ff9910c797a246c1ce514a3b2a153d118e3f7d184
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD500ae36d8532cc07d2e06fff2288133b8
SHA1b7ab8736de38c043268a1aa554fa12b2802d2ef7
SHA256f01895a919cb2b2ccf6d07484e9bf66b6bd78309ea1b1f0666e17620f290a1aa
SHA5126bbe9f010b6b16326070279a71470af218900043760a03e94868ea1e549ded2001a1603e97d7d68772d0992c20b274978a67f0033da24386e04536e21c27adc4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD5d20e2bc889f4fd763e745867ce3a42d6
SHA17619bd13e6dc0af95b89b9f765058764c5ce515b
SHA2566b72fa00aa54d7ce7851f71cc706a410113a3f8393e152d17eb9da215ede168e
SHA512837c3349494adae60e60554c453017a5acfa2c93fc948ecd0e3b73de5a566f9bdea6a6f5f5ff9179ee35a1e495211347474f137e5edf59fbc2cab00aef590746
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5e2beb66a945dfb81517431ecb97ecbdf
SHA1488a42e5e437f08d6612e4375c883f92ac0c9034
SHA2562ec9d4d365cd588571ae271554fa3277d2b69f79e321f9a733ff1beb6c5a94d4
SHA51201ecbb98208feb4906c8b2c5dc33c1d7d5c09853413d789839f194e56a28730b0728e0f080fa3359391096f7212d61001122da352a11b62d4c2918cff5839fde
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD50b98ebd80c3be265112745896805554c
SHA109803b7f87b49a500dbb949bd886c06e2b09128e
SHA256527c4464edd0d3f581941d56071e223fde8b229f037f6b1e019b66a01a2e14cf
SHA512671512ed017ac78e5b4e9ac4da5db1e2f5a027078ae7e0bbcafc655bd3a3f13a3deedc8632d8d8b3231f9b3a32eb39c6c76f4942f51a069dcc6ef81542457c5f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\7d4ee838-6257-4ee7-a9f6-a2e2b135fddd
Filesize28KB
MD54980371a558a7bd1c55665fd6673492e
SHA1886c822120a0e151f198e97372312806be3bffe1
SHA25620420f7cb8d12159c6a93a1eb52264e55fe92a27b5d6303ecb3c228437bdf249
SHA512330c9b2823b51ac8a2977b6dad5cf8b3924a825733d54b8657caeab0e26515e49bc89f464d1402e465669ff9492ee54eb380916c3642f19663aee6695e914608
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\acc32ea3-5c87-4b51-aac7-83ad8bfaabbf
Filesize671B
MD5d3997a4f2078a4e180e9d4cb45078520
SHA1fae30bf741a21aae341887b754fe5d675afb0a8d
SHA2569ca5546d08c6d927d04fe09447a7b821f63cac0866afb7503b06178af050890e
SHA512936a62b368c3d3d7ac1bf6032659af282d03d3cd420340e0c9100e92d72522e678f7dca7395bcd38bca1abd6d5cd3c775c0b9e936f8efacf515d4ad0e59665d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\e383ddcb-a426-46dd-88c8-5323f76ea0c3
Filesize982B
MD5389cfb516f1c831346a5afb1fddecf53
SHA1aba94f4f796cc6e944403bf848fba0cce9ddc20e
SHA25681d607919ad84368fcc20d221c2528a0ff49ac73626d64e2bea15123e2962b98
SHA512057febcdacf5e1b66a6506382d0af6f1351cd8bc7432b9bde266ea932bc77c2f37e43292c548b7513c69352ca96f3f8ca9bf090846f5c9a05af09c6982bfd489
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD582e98a56a9289b166880225bcbb6d5ca
SHA153d05d222164e0cf82cd0128e6511716a2b5b2d7
SHA256920e3d5b82eba713c7d7f4e615ad6cd12355041b8241820c9d10bbfde11f00fa
SHA512d0bff0231e04f9fc6b169fdab04575ffaf98bccd31eaca216725a018fb6076126cf808c5872452e227efbfd3d5cf796f0f5038522244074d01d7717025578e27
-
Filesize
12KB
MD5f145b4223b4ed31eae3ef3c1b7e21ffa
SHA187cb411ba7199afb988890354392b4d05caafc9a
SHA256bae8e46b204163ce92bbf3af173cfb4e5c27d5bb918b08d29df2ec7a00040a02
SHA512567313edc361676409a75ec1e2db2f0abd57951c7f5cbab004ecb177a088323b4713b2ee9ba31358b8673a62af1614ed87bd5e98eddf820359a1ef667f587b9f
-
Filesize
15KB
MD5bff3f5a2a772d3bae2c8a0b1aa2f9500
SHA18e8d66357eafd58eadc7a7e0ed79ee1d69a6a287
SHA25635ee0dfcfbd7bad4e85eb6adb2f1f0f84276dd8dd875757200c24524f5ee8ad1
SHA51240d0044c1803493374a253137e5187eb97432dc34d6380c9671d2a405287778e9a371fb49f10d6534d2cc96057552ce18ce26f103990f0b17503ed0ff59caf6a
-
Filesize
10KB
MD5196902f44660c17f60defee5a2ee99e9
SHA196e911d2476bff552c720040a763da3ab0ee6864
SHA2566aa72978346c54940b806ba43ac6dbdf7cd26dea79419826cbf95929c46a18f3
SHA51240188df9f6c3cbf3502c3eb70f06075fbb208486ad155fb6b4d8b05536b5db35e2e56e89f51866c2ff7c0eed4933b398075eb4e32db485a41210b7187317f584